US11095651B2 - Communication apparatus and non-transitory computer readable storage medium - Google Patents
Communication apparatus and non-transitory computer readable storage medium Download PDFInfo
- Publication number
- US11095651B2 US11095651B2 US16/247,882 US201916247882A US11095651B2 US 11095651 B2 US11095651 B2 US 11095651B2 US 201916247882 A US201916247882 A US 201916247882A US 11095651 B2 US11095651 B2 US 11095651B2
- Authority
- US
- United States
- Prior art keywords
- allowed
- communication
- whitelist
- abnormality
- communication apparatus
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active, expires
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Definitions
- the present invention relates to a communication apparatus having a whitelist function.
- a whitelist function can be used to reduce a risk when the network is compromised by an attacker.
- the whitelist function is to restrict operations of an object not registered in a list that is generated in advance to indicate terminals and applications that are allowed to perform operations such as communications.
- the whitelist function is very effective to prohibit undefined operations.
- the technology described in Japanese Patent Application Laid-open Publication No. 2017-005402 is known as a technology to apply the whitelist function to a communication apparatus such as a network switch.
- Japanese Patent Application Laid-open Publication No. 2017-005402 discloses “a communication apparatus including: a storage unit that stores a whitelist having therein header information included in received data during a generation period; and a transfer unit that receives data during an operation period, allows to transfer the data to a destination in a case where header information included in the data is stored in the whitelist and the reception of the data occurred within a time frame related to communication control using the whitelist of the header information included in the data, which is based on a reception history of data received during the operation period, and does not allow to transfer the data the destination in a case where the header information included in the data is stored in the whitelist but the reception of the data did not occur within the time frame.”
- Japanese Patent Application Laid-open Application No. 2010-003054 discloses “a network management system including: a data obtaining apparatus that receives data sent from an IP node and stores the latest reception time of data sent from each IP node; and a management apparatus that identifies the operation state of each IP node based on the latest reception time of each IP node stored in a memory unit of the data obtaining apparatus.
- a communication apparatus having the whitelist function is configured to generate a whitelist that registers objects allowed for communications based on header information of received packets and the like.
- the prior communication apparatus can detect packets of an object that is not registered based on the whitelist.
- the communication apparatus determines that the communication is legitimate, and transfers the packets. This means that the prior communication apparatus has a problem of not capable of detecting an abnormality of the object registered in the whitelist. Examples of the abnormality of the object registered in the whitelist include a lost terminal due to unauthorized removal or theft, and intrusion to the network using an object infected with virus.
- a monitoring system for the operation of the objects such as terminals and a security appliance need to be installed in addition to the communication apparatus.
- the system and the security appliance are to be installed, the overall system would be more complex, and the cost of the system would increase.
- An object of the present invention is to provide a communication apparatus and a program that detect an abnormality of an object that is registered in a whitelist.
- a representative example of the present invention disclosed in this specification is as follows: a communication apparatus that transfers received data, comprises an arithmetic device; a storage device coupled to the arithmetic device; and a communication interface coupled to the arithmetic device, and stores a whitelist to manage an allowed object that is allowed to perform communications via the communication apparatus.
- the communication apparatus comprises: a transfer unit being configured to perform transfer control on the received data based on the whitelist; and a control unit being configured to analyze behavior related to communications performed by the allowed object.
- the control unit being configured to: calculate a monitoring parameter that indicates the behavior related to the communications performed by the allowed object, and detect the allowed object where an abnormality occurred based on the monitoring parameter.
- a communication apparatus having the whitelist function can detect an abnormality of an object such as a terminal allowed to perform communications.
- FIG. 1 is a diagram showing a configuration example of a communication system of Embodiment 1;
- FIG. 2 is a diagram showing a configuration example of a relay apparatus of Embodiment 1;
- FIG. 3A and FIG. 3B are diagrams showing an example of data structure of a whitelist stored in a whitelist storage memory of Embodiment 1;
- FIG. 4 is a flowchart for explaining the process executed by a packet transfer unit of Embodiment 1 in a learning state
- FIG. 5 is a flowchart for explaining the process executed by a whitelist generating program of Embodiment 1 in the learning state;
- FIG. 6 is a flowchart for explaining the process executed by a monitoring program of Embodiment 1 in the learning state
- FIG. 7 is a flowchart for explaining the process executed by the packet transfer unit of Embodiment 1 in an operating state
- FIG. 8 is a flowchart for explaining the process executed by the monitoring program of Embodiment 1 in the operating state.
- FIG. 9 is a flowchart for explaining the process executed periodically by the monitoring program of Embodiment 1 in the operating state.
- a relay apparatus of the present invention performs the following processes on an object (terminal or application) registered in a whitelist.
- the object registered in the whitelist will be referred to as an allowed object.
- the relay apparatus analyzes behavior related to communications performed by the allowed object in a network. Specifically, the relay apparatus calculates a monitoring parameter that indicates the behavior related to communications. As described below, a communication interval is used for the monitoring parameter.
- the terminal If a terminal being the allowed object, or a terminal on which an application being the allowed object is run is infected with virus and used as a stepping stone for the DDoS attack, the terminal performs communications frequently at short time intervals.
- the relay apparatus detects an allowed object that performs communications with a communication interval shorter than a prescribed threshold, and determines that the detected allowed object is infected with virus.
- the relay apparatus detects an allowed object that performs communications with a communication interval greater than a prescribed threshold, or in other words, an allowed object that performs no communications for a prescribed period of time, and determines that the detected allowed object is lost.
- FIG. 1 is a diagram showing a configuration example of a communication system of Embodiment 1.
- FIG. 2 is a diagram showing a configuration example of a relay apparatus 100 of Embodiment 1.
- the communication system includes a plurality of relay apparatuses 100 and a plurality of terminals 101 .
- a relay apparatus 100 and other communication apparatuses are coupled to one another via a network 105 such as LAN (Local Area Network), WAN (Wide Area Network), or the Internet.
- Each of the plurality of relay apparatuses 100 is coupled to the plurality of terminals 101 .
- a terminal 101 is a server, smartphone, or tablet on which the application is run. In this embodiment is not limited to the type of the terminal 101 .
- the relay apparatus 100 is a communication apparatus that relays data (packet) passing through the network.
- the relay apparatus 100 of this embodiment stores therein a whitelist 800 (see FIG. 3A ) for realizing the whitelist function.
- the whitelist 800 is a list that includes information to identify objects allowed to perform communications (allowed objects).
- the relay apparatus 100 includes a plurality of packet reception units 200 , a plurality of packet transmission units 250 , a packet transfer unit 300 , a software control unit 400 , an apparatus time management unit 500 , and an input/output interface 600 .
- the respective configurations described above are installed as hardware.
- a number given to each packet reception unit 200 is an identification number for each packet reception unit 200
- a number given to each packet transmission unit 250 is an identification number for each packet transmission unit 250
- a packet reception unit 200 and A packet transmission unit 250 may be one device (packet transmission/reception unit).
- the packet reception unit 200 receives a packet from an external device such as the terminal 101 and another relay apparatus 110 , and sends the packet to the packet transfer unit 300 . At this time, the packet reception unit 200 adds control information to the received packet. Examples of the control information include the identification number of the packet reception unit 200 and the identification number of VLAN (virtual LAN).
- the packet reception unit 200 may have wired connection or wireless connection with the external device. In case of the wired connection, the packet reception unit 200 is coupled to the external device via a cable such as a metal cable or an optical cable.
- the packet transmission unit 250 receives the packet from the packet transfer unit 300 , and transmits the packet to the external device.
- the packet transmission unit 250 may have wired connection or wireless connection with the external device. In case of the wired connection, the packet transmission unit 250 is coupled to the external device via a cable such as the metal cable or the optical cable.
- the packet transfer unit 300 performs a transfer control process such as transferring or discarding the received packet, based on the whitelist 800 .
- the packet transfer unit 300 is constituted of hardware such as FPGA (field programmable gate array) to perform simple commands at high speed such as high-speed search for information registered in the whitelist 800 and wire-rate communication of the packet.
- FPGA field programmable gate array
- the software control unit 400 performs processes such as generating a whitelist 800 , and generating and transmitting an alert.
- the detailed configuration of the software control unit 400 will be explained below.
- the apparatus time management unit 500 manages the time of the relay apparatus 100 .
- the time of the relay apparatus 100 may be obtained through synchronization with a time server using the NTP (network time protocol) or the like, or may be obtained based on an input through an input/output device 700 . In this case, the relay apparatus 100 does not need to include the apparatus time management unit 500 .
- the input/output interface 600 is an interface to connect the input/output device 700 .
- the input/output device 700 includes an input device such as a keyboard, mouse, and a touch panel, and an output device such as a display and printer.
- An administrator or the like inputs information into the relay apparatus 100 and retrieves information from the relay apparatus 100 through the input/output device 700 .
- the input/output device 700 may be included in the relay apparatus 100 .
- the packet transfer unit 300 includes a destination determining unit 310 , a time determining unit 320 , a transfer table memory 330 , a whitelist storage memory 340 , a transfer setting memory 350 , and a timer storage memory 360 .
- the transfer table memory 330 is a storage device to store a transfer table (not shown in the figure) that is used to transfer packets.
- Examples of the transfer table memory 330 include a CAM (content addressable memory) and a DRAM (dynamic random-access memory).
- the transfer table has a known configuration and thus a detailed description thereof is omitted here.
- the transfer table has entries that store the correspondence relationship between the header information of a packet and the identification information of the packet transmission unit 250 , which is the destination of the packet.
- the transfer table is configured by an administrator or the like. Examples of the transfer table include Mac Address Table used for the layer 2 communication of the OSI (Open System Interconnection) reference model and Routing Table used for the layer 3 communication of the OSI reference model.
- OSI Open System Interconnection
- the whitelist storage memory 340 is a storage device to store the whitelist 800 (see FIG. 3A ).
- the whitelist storage memory 340 is a CAM or a DRAM, for example.
- the whitelist 800 is generated by the software control unit 400 .
- the transfer setting memory 350 is a storage device to store information specifying the state of the relay apparatus 100 , setting information for the transfer control, and the like.
- the transfer setting memory 350 is a DRAM, for example.
- the information stored in the transfer setting memory 350 is configured by an administrator or the like.
- the states of the relay apparatus 100 of this embodiment include a learning state and an operating state.
- the learning state is a state for generating the whitelist 800
- the operating state is a state for performing the transfer control on packets based on the whitelist 800 .
- the learning state takes place during a period in which the communication system is not actually operating such as a network configuration period.
- the state of the relay apparatus 100 is changed based on an instruction (a command) input from the administrator or the like.
- the administrator or the like inputs the instruction through the input/output device 700 .
- the timer storage memory 360 is a storage device to store a parameter (timer value) for monitoring behavior related to the communications performed by the allowed object.
- the timer storage memory 360 is a RAM (random access memory), for example.
- the destination determining unit 310 refers to the transfer table stored in the transfer table memory 330 using the header information of the received packet as a key, and determines the destination of the packet.
- the destination determining unit 310 also controls the state of the relay apparatus 100 based on the information stored in the transfer setting memory 350 .
- the destination determining unit 310 obtains header information and control information from the received packet, and sends the obtained information to the software control unit 400 .
- the destination determining unit 310 executes the transfer control process on the packet based on the information stored in the transfer setting memory 350 .
- the destination determining unit 310 performs the transfer process using the whitelist 800 and the transfer table. Specifically, the destination determining unit 310 refers to the whitelist 800 , and determines whether the object for which the packet is transmitted or received is the allowed object or not. If the object for which the packet is transmitted or received is not the allowed object, the destination determining unit 310 executes the transfer control process on the packet based on the information set in the transfer setting memory 350 .
- the time determining unit 320 obtains the current time from the apparatus time management unit 500 , and determines a reception time of the packet and the like. The time determining unit 320 also sends out the determined time to a CPU 410 of the software control unit 400 that executes a monitoring program 423 , which will be described later.
- the software control unit 400 has a CPU (control processing unit) 410 and a software memory 420 .
- the CPU 410 executes programs stored in the software memory 420 .
- the CPU 410 operates as function units that realize specific functions, respectively, by executing processes in accordance with the programs. In the descriptions below, when the process is described as being performed by the program for realizing a specific function, that means that the CPU 410 is executing the program.
- the software memory 420 is constituted of a ROM (read-only memory) that is a non-volatile storage element and a RAM that is a volatile storage element.
- the ROM stores therein programs such as BIOS (basic input/output system).
- BIOS basic input/output system
- the RAM stores therein the programs to be executed by the CPU 410 , and includes a work area that the programs temporarily uses.
- the software memory 420 of this embodiment stores therein a whitelist generating program 421 , a transfer setting program 422 , and a monitoring program 423 .
- the whitelist generating program 421 generates the whitelist 800 by analyzing the received packet, and stores the whitelist 800 in the whitelist storage memory 340 .
- the transfer setting program 422 stores, in the transfer table memory 330 and the transfer setting memory 350 , the setting information input through the input/output device 700 .
- the monitoring program 423 sets monitoring parameters for detecting an abnormality of the allowed object in the learning state. Also, the monitoring program 423 detects an abnormality of the allowed object based on the monitoring parameters in the operating state.
- the packet transfer unit 300 and the software control unit 400 are realized as different pieces of hardware, but they may alternatively be realized as one piece of hardware.
- FIG. 3A and FIG. 3B are diagrams showing an example of the data structure of the whitelist 800 stored in the whitelist storage memory 340 of Embodiment 1.
- the whitelist 800 is divided into two parts, but the actual whitelist is managed as one table.
- the whitelist 800 includes at least one entry constituted of a plurality of fields. One entry corresponds to one allowed object.
- the whitelist 800 shown in FIG. 3A includes n-number of entries. Each field constituting an entry is set a value obtained from the control information and the header information, and is set a value for monitoring the behavior related to the communications performed by the allowed object.
- Each entry included in the whitelist 800 is constituted of an ID 801 , a packet_reception_unit_number 802 , a VLAN_number 803 , a Source_Mac_Address 804 , a Destination_Mac_Address 805 , a Protocol 806 , Source_IP_Address 807 , a Destination_IP_Address 808 , a Source_Port_number 809 , a Destination_Port_number 810 , a minimum communication interval 811 , a maximum communication interval 812 , a last communication time 813 , and a timer 814 .
- the ID 801 is a field to store identification information for uniquely identifying an entry included in the whitelist 800 .
- the packet_reception_unit_number 802 is a field to store identification information for uniquely identifying the packet reception unit 200 .
- the VLAN_number 803 is a field to store identification information of VLAN to which the packet reception unit 200 belongs. Values included in the control information are set in the packet_reception_unit_number 802 and the VLAN_number 803 .
- the Source_Mac_Address 804 is a field to store the Mac address of the source of a packet.
- the Destination_Mac_Address 805 is a field to store the Mac address of the destination of a packet.
- the Protocol 806 is a field to store a value indicating the type of the protocol.
- the Source_IP_Address 807 is a field to store the IP address of the source of a packet.
- the Destination_IP_Address 808 is a field to store the IP address of the destination of a packet.
- the Source_Port_number 809 is a field to store the port number of the source of a packet.
- the Destination_Port_number 810 is a field to store the port number of the destination of a packet.
- Source_Mac_Address 804 the Destination_Mac_Address 805 , the Protocol 806 , the Source_IP_Address 807 , the Destination_IP_Address 808 , the Source_Port_number 809 , and the Destination_Port_number 810 .
- the minimum communication interval 811 is a field to store a minimum value of the communication interval.
- the maximum communication interval 812 is a field to store a maximum value of the communication interval.
- the last communication time 813 is a field to store the time at which a communication of the allowed object corresponding to the entry is performed.
- the last communication time 813 stores a time at which the packet was last received, for example.
- the timer 814 is a field to store an elapsed time from the last communication time 813 . That is, the timer 814 stores therein a value indicating the communication interval of the allowed object.
- the minimum communication interval 811 and the maximum communication interval 812 are stored therein a threshold for monitoring the behavior related to the communications performed by the allowed object, and the last communication time 813 is stored therein a time at which the relay apparatus 100 last received a packet related to the allowed object.
- the timer 814 is set a timer value measured by the timer.
- One entry needs to include a field that stores therein at least one value from the control information and the header information.
- an entry may include a field to store a value included in the header information such as TOS (type of service), flag, TTL (time to live), ID, version, or a header value.
- FIG. 4 is a flowchart for explaining the process executed by the packet transfer unit 300 of Embodiment 1 in the learning state.
- FIG. 5 is a flowchart for explaining the process executed by the whitelist generating program 421 of Embodiment 1 in the learning state.
- FIG. 6 is a flowchart for explaining the process executed by the monitoring program 423 of Embodiment 1 in the learning state.
- the relay apparatus 100 analyzes received packets, and generates and updates the whitelist 800 based on the analysis result.
- the transfer table is also updated as needed.
- the packet transfer unit 300 obtains the header information and the control information of the packet, and sends the obtained header information and the obtained control information to the software control unit 400 (Step S 101 ).
- the time determining unit 320 of the packet transfer unit 300 obtains the current time from the apparatus time management unit 500 , and determines the reception time of the packet.
- the packet transfer unit 300 sends the header information, the control information, and the reception time of the packet to the software control unit 400 .
- the packet transfer unit 300 determines whether the transfer table needs to be updated or not (Step S 102 ).
- the packet transfer unit 300 determines that the transfer table needs to be updated.
- the packet transfer unit 300 ends the process.
- the packet transfer unit 300 updates the transfer table (Step S 103 ).
- the method to update the transfer table is a known technology and therefore, the detailed description thereof is omitted.
- the software control unit 400 In a case of receiving the header information and the like from the packet transfer unit 300 , the software control unit 400 stores the received header information and the like in the software memory 420 temporarily, and calls the whitelist generating program 421 .
- the whitelist generating program 421 obtains the header information and the control information of the packet from the software memory 420 (Step S 201 ).
- the whitelist generating program 421 refers to the whitelist 800 based on the header information and the control information, and determines whether the object related to the packet is registered in the whitelist 800 or not (Step S 202 ).
- the whitelist generating program 421 compares the values included in the header information and the control information with the values of the respective fields in the entries of the whitelist 800 . The whitelist generating program 421 determines whether an entry corresponding to the packet exists or not, based on the comparison result. If there is an entry corresponding to the packet, the whitelist generating program 421 determines that the object related to the packet is registered in the whitelist 800 .
- the whitelist generating program 421 registers the object in the whitelist 800 (Step S 203 ). Specifically, the process described below is performed.
- the whitelist generating program 421 generates, in the software memory 420 , a temporary entry having the same data structure as each entry of the whitelist 800 .
- the whitelist generating program 421 sets a unique identification number in the ID 801 of the temporary entry, and sets the minimum communication interval 811 , the maximum communication interval 812 , and the timer 814 to zero.
- the whitelist generating program 421 also sets the reception time of the packet in the last communication time 813 of the temporary entry. Furthermore, the whitelist generating program 421 sets respective values included in the header information and like in the remaining fields of the temporary entry.
- the whitelist generating program 421 adds the temporary entry to the whitelist 800 stored in the whitelist storage memory 340 via the packet transfer unit 300 .
- the description above is for Step S 203 .
- the whitelist generating program 421 instructs the monitoring program 423 to start measuring the timer value (Step S 204 ).
- This instruction includes the identification number set in the ID 801 .
- the monitoring program 423 activates the timer corresponding to the identification number included in the instruction, and starts measuring the timer value. Specifically, the monitoring program 423 stores a timer corresponding to the ID 801 in the timer storage memory 360 , and starts measuring the timer value.
- Step S 202 in a case where it is determined that the object related to the packet is registered in the whitelist 800 , the whitelist generating program 421 calls the monitoring program 423 (Step S 205 ), and ends the process. At this time, the whitelist generating program 421 inputs the identification number set in the ID 801 of the searched entry into the monitoring program 423 .
- the monitoring program 423 sets a variable Tmin and a variable Tmax (Step S 301 ).
- the monitoring program 423 refers to the whitelist 800 to search an entry in which the ID 801 matches the input identification information.
- the monitoring program 423 sets a value, which is stored in the minimum communication interval 811 of the searched entry, to the variable Tmin, and sets a value, which is stored in the maximum communication interval 812 of the searched entry, to the variable Tmax.
- the monitoring program 423 updates the timer 814 of the searched entry (Step S 302 ).
- the monitoring program 423 refers to the timer storage memory 360 to obtain the timer value from the timer corresponding to the searched entry, and stores the obtained timer value in the timer 814 of the searched entry.
- the monitoring program 423 initializes the timer, and restarts the measurement.
- the monitoring program 423 determines whether the variable Tmin and the variable Tmax are zero or not (Step S 303 ).
- the monitoring program 423 updates the minimum communication interval 811 , the maximum communication interval 812 , and the last communication time 813 of the searched entry (Step S 307 ). Then the monitoring program 423 ends the process.
- the monitoring program 423 sets the current time in the last communication time 813 of the searched entry.
- the current time is a time determined by the time determining unit 320 .
- the monitoring program 423 also sets the timer value stored in the timer 814 into the minimum communication interval 811 and the maximum communication interval 812 of the searched entry.
- the monitoring program 423 updates the last communication time 813 of the searched entry (Step S 304 ).
- the monitoring program 423 sets the current time in the last communication time 813 of the searched entry.
- the monitoring program 423 determines whether the timer value stored in the timer 814 of the searched entry is smaller than the variable Tmin or not (Step S 305 ).
- the monitoring program 423 updates the minimum communication interval 811 of the searched entry (Step S 308 ). Then the monitoring program 423 ends the process.
- the monitoring program 423 sets the timer value stored in the timer 814 into the minimum communication interval 811 of the searched entry.
- the monitoring program 423 determines whether the timer value stored in the timer 814 of the searched entry is greater than the variable Tmax or not (Step S 306 ).
- the monitoring program 423 updates the maximum communication interval 812 of the searched entry (Step S 309 ). Then the monitoring program 423 ends the process.
- the monitoring program 423 sets the timer value stored in the timer 814 in the maximum communication interval 812 of the searched entry.
- the monitoring program 423 ends the process.
- the relay apparatus 100 of this embodiment generates the whitelist 800 and learns threshold values (minimum communication interval and maximum communication interval) used for detecting an abnormality of the allowed objects.
- the relay apparatus 100 ends the measurement of the timer values of all allowed objects.
- FIG. 7 is a flowchart for explaining the process executed by the packet transfer unit 300 of Embodiment 1 in the operating state.
- FIG. 8 is a flowchart for explaining the process executed by the monitoring program 423 of Embodiment 1 in the operating state.
- FIG. 9 is a flowchart for explaining the process executed periodically by the monitoring program 423 of Embodiment 1 in the operating state.
- FIG. 7 and FIG. 8 are the flowcharts explaining the processes executed in a case where the relay apparatus 100 receives a packet
- FIG. 9 is a flowchart explaining the process executed periodically.
- the relay apparatus 100 In the operating state, the relay apparatus 100 analyzes the received packet, and performs transfer control on the packet based on the analysis result and the whitelist 800 . The relay apparatus 100 also monitors the communication interval of each of the allowed object periodically.
- the packet transfer unit 300 In a case of receiving a packet from the packet reception unit 200 , the packet transfer unit 300 refers to the whitelist 800 stored in the whitelist storage memory 340 , and determines whether an object related to the packet is registered in the whitelist 800 or not (Step S 401 ).
- the packet transfer unit 300 refers to the whitelist 800 based on the header information and the control information obtained from the packet, and searches for an entry that matches with the header information and the control information. If there is an entry matching the header information and the control information, the packet transfer unit 300 determines that the object related to the packet is registered in the whitelist 800 .
- the packet transfer unit 300 performs the packet transfer control (Step S 406 ). Thereafter, the packet transfer unit 300 ends the process.
- the packet transfer unit 300 discards the received packet, issues a notification indicating that a packet of an object not registered in the whitelist 800 has been received, and the like.
- the process to be executed when a packet of an object not registered in the whitelist 800 is received is not limited to that of this embodiment.
- the packet transfer unit 300 calls the monitoring program 423 (Step S 402 ). Thereafter, the packet transfer unit 300 makes the shift to a waiting state.
- the packet transfer unit 300 inputs the reception time of the packet determined by the time determining unit 320 and the identification number set in the ID 801 of the searched entry.
- the packet transfer unit 300 determines whether a response has been received from the monitoring program 423 or not (Step S 403 ).
- the packet transfer unit 300 returns to Step S 403 after a prescribed period of time has elapsed.
- the packet transfer unit 300 determines whether it is possible to transfer the received packet or not based on the response (Step S 404 ).
- the packet transfer unit 300 determines whether the type of the response is “transfer allowed” or “alert.” If the type of the response is “transfer allowed,” the packet transfer unit 300 determines that it is possible to transfer the received packet. On the other hand, if the type of the response is “alert,” the packet transfer unit 300 determines that it is not possible to transfer the received packet.
- the packet transfer unit 300 performs packet transfer control (Step S 406 ). Thereafter, the packet transfer unit 300 ends the process.
- the packet transfer unit 300 performs packet transfer control (Step S 405 ). Thereafter, the packet transfer unit 300 ends the process.
- the packet transfer unit 300 transfers the packet to a destination apparatus based on the destination information and the like included in the header information of the packet.
- the monitoring program 423 sets a variable Tmin and a variable Tmax (Step S 501 ).
- the monitoring program 423 refers to the whitelist 800 to search an entry in which the ID 801 matches the input identification information.
- the monitoring program 423 sets a value, which is stored in the minimum communication interval 811 of the searched entry, to the variable Tmin, and sets a value, which is stored in the maximum communication interval 812 of the searched entry, to the variable Tmax.
- the monitoring program 423 updates the timer 814 of the searched entry (Step S 502 ).
- the monitoring program 423 refers to the timer storage memory 360 to obtain the timer value from the timer corresponding to the searched entry, and stores the obtained timer value in the timer 814 of the searched entry.
- the monitoring program 423 initializes the timer, and restarts the measurement.
- the monitoring program 423 updates the last communication time 813 of the searched entry (Step S 503 ).
- the monitoring program 423 sets the reception time of the input packet in the last communication time 813 of the searched entry.
- the monitoring program 423 determines whether the timer value stored in the timer 814 of the searched entry is smaller than the variable Tmin or not (Step S 504 ).
- the monitoring program 423 sends a response whose type is “alert” to the packet transfer unit 300 (Step S 507 ). Then the monitoring program 423 ends the process.
- the monitoring program 423 may also send an alert to the input/output device 700 to notify the administrator and the like of the abnormality of the allowed object.
- the generated alert may include information indicating that the communication interval of the allowed object is too short.
- the monitoring program 423 determines whether the timer value stored in the timer 814 of the searched entry is greater than the variable Tmax or not (Step S 505 ).
- the monitoring program 423 sends a response whose type is “alert” to the packet transfer unit 300 (Step S 507 ). Then the monitoring program 423 ends the process.
- the generated alert may include information indicating that the communication interval of the allowed object is too long.
- the monitoring program 423 sends a response whose type is “transfer allowed” to the packet transfer unit 300 (Step S 506 ).
- the relay apparatus 100 of Embodiment 1 can cut off the communications performed by an object even if such an object is the allowed object registered in the whitelist 800 , and can notify that an abnormality has detected.
- Whether the response whose type is “alert” is generated or not may depend on how many times the determination process has taken place in Step S 504 and Step S 505 .
- a threshold of the number of times of the determination process can be set and updated by the administrator at a desired timing.
- the monitoring program 423 determines whether a trigger of execution is detected or not (Step S 601 ).
- the monitoring program 423 determines whether the execution period has elapsed or not. In a case where it is determined that the execution period has elapsed, the monitoring program 423 determines that a trigger of execution is detected. The monitoring program 423 may also determine a trigger of execution is detected in a case of receiving an execution instruction from the administrator or the like.
- the monitoring program 423 returns to Step S 601 after a prescribed period of time has elapsed.
- the monitoring program 423 starts a loop process of the entries included in the whitelist 800 (Step S 602 ).
- the monitoring program 423 selects one target entry from the whitelist 800 .
- the monitoring program 423 also obtains the current time from the time determining unit 320 .
- the monitoring program 423 sets a variable Tmax (Step S 603 ).
- the monitoring program 423 sets a value stored in the maximum communication interval 812 of the target entry to the variable Tmax.
- the monitoring program 423 updates the timer 814 of the target entry (Step S 604 ).
- the monitoring program 423 refers to the timer storage memory 360 to obtain the timer value from the timer corresponding to the target entry, and stores the obtained timer value in the timer 814 of the target entry.
- the timer is not initialized.
- the monitoring program 423 determines whether the timer value stored in the timer 814 of the target entry is greater than the variable Tmax or not (Step S 605 ).
- the monitoring program 423 proceeds to Step S 607 .
- the monitoring program 423 sends a response whose type is “alert” to the packet transfer unit 300 (Step S 606 ). Thereafter, the monitoring program 423 proceeds to Step S 607 .
- the monitoring program 423 may also send the alert to the input/output device 700 .
- the generated alert may include information indicating that no communication is not performed for a long period of time.
- the packet transfer unit 300 may add a flag to the target entry so that the communications from the allowed object corresponding to the target entry is cut off.
- Step S 607 the monitoring program 423 determines whether the process is complete for all entries of the whitelist 800 .
- the monitoring program 423 returns to Step S 602 to select a new target entry and executes the same process.
- the monitoring program 423 returns to Step S 601 after a prescribed period of time has elapsed.
- the relay apparatus 100 of Embodiment 1 can cut off the communications from an object even if such an object is the allowed object registered in the whitelist 800 , and can notify that an abnormality has detected.
- the terminal In a case where a terminal registered in the whitelist 800 is infected with virus and has become a stepping stone for the DDoS attack, the terminal sends out a number of packets in a short period of time.
- the prior relay apparatus would transfer all the packets sent from the terminal registered in the whitelist. Thus, it would not be possible to detect or defend against the DDoS attack.
- the relay apparatus 100 of Embodiment 1 can cut off the communication in a case of detecting the communications with short communication interval. This makes it possible to detect or defend against the DDoS attack.
- the prior relay apparatus cannot detect such the abnormality.
- the relay apparatus 100 of Embodiment 1 can detect an abnormality of an object by detecting a terminal that is registered in the whitelist and that has not been in operation for a prescribed period of time.
- a transfer control method executed by a communication apparatus that transfers received data the communication apparatus including: an arithmetic device, a storage device coupled to the arithmetic device, and a communication interface coupled to the arithmetic device, storing a whitelist to manage an allowed object that is allowed to perform communications via the communication apparatus
- the transfer control method comprises: a first step of performing, by the arithmetic device, transfer control on the received data based on the whitelist; and a second step of analyzing, by the arithmetic device, behavior related to communications performed by the allowed object, wherein the second step includes: a step of calculating, by the arithmetic device, a monitoring parameter that indicates the behavior related to the communications performed by the allowed object, and a step of detecting, by the arithmetic device, the allowed object where an abnormality occurred based on the monitoring parameter.
- the transfer control method according to (2) further including: a step of generating, by the arithmetic device, an alert for notifying that the allowed object occurring an abnormality is detected in a case of detecting the allowed object occurring an abnormality; and a step of transmitting, by the arithmetic device, the alert.
- the transfer control method according to (2) further including a step of cutting off, by the arithmetic device, the communication of the allowed object occurring an abnormality in a case of detecting the allowed object occurring an abnormality.
- the transfer control method according to (2) further including: a step of analyzing, by the arithmetic device, communications performed by a plurality of the allowed objects via the communication apparatus; a step of calculating, by the arithmetic device, the communication interval of each of the plurality of the allowed objects based on analysis results of the communication of the plurality of the allowed objects; and a step of storing, by the arithmetic device, the communication interval of the each of the plurality of the allowed objects in the storage device as the threshold value.
- the present invention is not limited to the above embodiment and includes various modification examples.
- the configurations of the above embodiment are described in detail so as to describe the present invention comprehensibly.
- the present invention is not necessarily limited to the embodiment that is provided with all of the configurations described.
- a part of each configuration of the embodiment may be removed, substituted, or added to other configurations.
- a part or the entirety of each of the above configurations, functions, processing units, processing means, and the like may be realized by hardware, such as by designing integrated circuits therefor.
- the present invention can be realized by program codes of software that realizes the functions of the embodiment.
- a storage medium on which the program codes are recorded is provided to a computer, and a CPU that the computer is provided with reads the program codes stored on the storage medium.
- the program codes read from the storage medium realize the functions of the above embodiment, and the program codes and the storage medium storing the program codes constitute the present invention.
- Examples of such a storage medium used for supplying program codes include a flexible disk, a CD-ROM, a DVD-ROM, a hard disk, a solid state drive (SSD), an optical disc, a magneto-optical disc, a CD-R, a magnetic tape, a non-volatile memory card, and a ROM.
- SSD solid state drive
- the program codes that realize the functions written in the present embodiment can be implemented by a wide range of programming and scripting languages such as assembler, C/C++, Perl, shell scripts, PHP, and Java (registered trademark).
- the program codes of the software that realizes the functions of the embodiment are stored on storing means such as a hard disk or a memory of the computer or on a storage medium such as a CD-RW or a CD-R by distributing the program codes through a network and that the CPU that the computer is provided with reads and executes the program codes stored on the storing means or on the storage medium.
- control lines and information lines that are considered as necessary for description are illustrated, and all the control lines and information lines of a product are not necessarily illustrated. All of the configurations of the embodiment may be connected to each other.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
Claims (10)
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JPJP2018-005228 | 2018-01-16 | ||
JP2018005228A JP2019125914A (en) | 2018-01-16 | 2018-01-16 | Communication device and program |
JP2018-005228 | 2018-01-16 |
Publications (2)
Publication Number | Publication Date |
---|---|
US20190222578A1 US20190222578A1 (en) | 2019-07-18 |
US11095651B2 true US11095651B2 (en) | 2021-08-17 |
Family
ID=67214440
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US16/247,882 Active 2039-10-11 US11095651B2 (en) | 2018-01-16 | 2019-01-15 | Communication apparatus and non-transitory computer readable storage medium |
Country Status (2)
Country | Link |
---|---|
US (1) | US11095651B2 (en) |
JP (1) | JP2019125914A (en) |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2019072305A2 (en) * | 2018-12-28 | 2019-04-18 | Alibaba Group Holding Limited | Parallel execution of transactions in a blockchain network based on smart contract whitelists |
KR102234128B1 (en) | 2018-12-28 | 2021-04-02 | 어드밴스드 뉴 테크놀로지스 씨오., 엘티디. | Parallel execution of transactions on the blockchain network |
Citations (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20070115850A1 (en) * | 2005-10-20 | 2007-05-24 | Kazuaki Tsuchiya | Detection method for abnormal traffic and packet relay apparatus |
US20090238081A1 (en) | 2006-06-19 | 2009-09-24 | Yokogawa Electric Corporation | Network management system, data acquisition apparatus, and method for checking operating conditions of nodes |
US20100091770A1 (en) * | 2008-10-06 | 2010-04-15 | Alaxala Networks Corporation | Packet relay device |
US7969880B2 (en) * | 2006-08-11 | 2011-06-28 | Alaxala Networks Corporation | Device and method for relaying packets |
US20110170552A1 (en) * | 2010-01-08 | 2011-07-14 | Alaxala Networks Corporation | Packet relay apparatus |
US20120033550A1 (en) * | 2010-08-06 | 2012-02-09 | Alaxala Networks Corporation | Packet relay device and congestion control method |
US20130269031A1 (en) * | 2012-02-20 | 2013-10-10 | Alaxala Networks Corporation | Network system, network relay method, and network relay device |
US20150067764A1 (en) * | 2013-09-03 | 2015-03-05 | Electronics And Telecommunications Research Institute | Whitelist-based network switch |
JP2017005402A (en) | 2015-06-08 | 2017-01-05 | アラクサラネットワークス株式会社 | Communication device |
JP2017050481A (en) | 2015-09-04 | 2017-03-09 | リンテック株式会社 | Sheet sticking device and sheet sticking method |
JP2018007179A (en) | 2016-07-07 | 2018-01-11 | エヌ・ティ・ティ・コミュニケーションズ株式会社 | Device, method and program for monitoring |
US20180144119A1 (en) | 2015-08-31 | 2018-05-24 | Panasonic Intellectual Property Corporation Of America | Misuse detection method, misuse detection electronic control unit, and misuse detection system |
US20200059399A1 (en) * | 2018-08-20 | 2020-02-20 | Fujitsu Limited | Information processing apparatus and abnormality diagnosis method |
US20200287914A1 (en) * | 2019-03-04 | 2020-09-10 | Malwarebytes Inc. | Facet Whitelisting in Anomaly Detection |
US20200314130A1 (en) * | 2017-01-19 | 2020-10-01 | Mitsubishi Electric Corporation | Attack detection device, attack detection method, and computer readable medium |
-
2018
- 2018-01-16 JP JP2018005228A patent/JP2019125914A/en active Pending
-
2019
- 2019-01-15 US US16/247,882 patent/US11095651B2/en active Active
Patent Citations (18)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20070115850A1 (en) * | 2005-10-20 | 2007-05-24 | Kazuaki Tsuchiya | Detection method for abnormal traffic and packet relay apparatus |
US7729271B2 (en) * | 2005-10-20 | 2010-06-01 | Alaxala Networks Corporation | Detection method for abnormal traffic and packet relay apparatus |
US20090238081A1 (en) | 2006-06-19 | 2009-09-24 | Yokogawa Electric Corporation | Network management system, data acquisition apparatus, and method for checking operating conditions of nodes |
US7969880B2 (en) * | 2006-08-11 | 2011-06-28 | Alaxala Networks Corporation | Device and method for relaying packets |
JP2010003054A (en) | 2008-06-19 | 2010-01-07 | Yokogawa Electric Corp | Network management system, data acquisition device and node operation state acquiring method |
US20100091770A1 (en) * | 2008-10-06 | 2010-04-15 | Alaxala Networks Corporation | Packet relay device |
US20110170552A1 (en) * | 2010-01-08 | 2011-07-14 | Alaxala Networks Corporation | Packet relay apparatus |
US20120033550A1 (en) * | 2010-08-06 | 2012-02-09 | Alaxala Networks Corporation | Packet relay device and congestion control method |
US20130269031A1 (en) * | 2012-02-20 | 2013-10-10 | Alaxala Networks Corporation | Network system, network relay method, and network relay device |
US20150067764A1 (en) * | 2013-09-03 | 2015-03-05 | Electronics And Telecommunications Research Institute | Whitelist-based network switch |
US9369434B2 (en) * | 2013-09-03 | 2016-06-14 | Electronics And Telecommunications Research Institute | Whitelist-based network switch |
JP2017005402A (en) | 2015-06-08 | 2017-01-05 | アラクサラネットワークス株式会社 | Communication device |
US20180144119A1 (en) | 2015-08-31 | 2018-05-24 | Panasonic Intellectual Property Corporation Of America | Misuse detection method, misuse detection electronic control unit, and misuse detection system |
JP2017050481A (en) | 2015-09-04 | 2017-03-09 | リンテック株式会社 | Sheet sticking device and sheet sticking method |
JP2018007179A (en) | 2016-07-07 | 2018-01-11 | エヌ・ティ・ティ・コミュニケーションズ株式会社 | Device, method and program for monitoring |
US20200314130A1 (en) * | 2017-01-19 | 2020-10-01 | Mitsubishi Electric Corporation | Attack detection device, attack detection method, and computer readable medium |
US20200059399A1 (en) * | 2018-08-20 | 2020-02-20 | Fujitsu Limited | Information processing apparatus and abnormality diagnosis method |
US20200287914A1 (en) * | 2019-03-04 | 2020-09-10 | Malwarebytes Inc. | Facet Whitelisting in Anomaly Detection |
Non-Patent Citations (2)
Title |
---|
Japanese Office Action received in corresponding Japanese Application No. 2018-005228 dated Jul. 6, 2021. |
Yamaguchi, T. et al., "Potentiality of Whitelisting Intrusion Detection Method for Plant Control System", 2016 Symposium on Cryptography and Information Security, Jan. 22, 2016, pp. 1-6 with partial translation. |
Also Published As
Publication number | Publication date |
---|---|
US20190222578A1 (en) | 2019-07-18 |
JP2019125914A (en) | 2019-07-25 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10901470B2 (en) | Power distribution unit self-identification | |
US10122740B1 (en) | Methods for establishing anomaly detection configurations and identifying anomalous network traffic and devices thereof | |
US10560280B2 (en) | Network security analysis for smart appliances | |
US10505818B1 (en) | Methods for analyzing and load balancing based on server health and devices thereof | |
US10447655B2 (en) | Method for controlling transmission security of industrial communications flow based on SDN architecture | |
KR101917062B1 (en) | Honeynet method, system and computer program for mitigating link flooding attacks of software defined network | |
US10491628B2 (en) | Attack observation apparatus and attack observation method | |
US20130219497A1 (en) | Network intrusion detection in a network that includes a distributed virtual switch fabric | |
US20150128246A1 (en) | Methods and apparatus for redirecting attacks on a network | |
CA3039795A1 (en) | Extracting encryption metadata and terminating malicious connections using machine learning | |
US20180124020A1 (en) | Feature-based classification of individual domain queries | |
EP3286650B1 (en) | Network security analysis for smart appliances | |
US11095651B2 (en) | Communication apparatus and non-transitory computer readable storage medium | |
JP2017005402A (en) | Communication device | |
US20150304355A1 (en) | Automated Synchronized Domain Wide Transient Policy | |
US20140165143A1 (en) | Method and a program for controlling communication of target apparatus | |
US20180167337A1 (en) | Application of network flow rule action based on packet counter | |
EP3905595B1 (en) | Industrial control system monitoring method, device and system, and computer-readable medium | |
US10972442B1 (en) | Distributed predictive packet quantity threshold reporting | |
Salazar et al. | Enhancing the resiliency of cyber-physical systems with software-defined networks | |
Gardiner et al. | Controller-in-the-middle: Attacks on software defined networks in industrial control systems | |
CN105812274B (en) | Service data processing method and related equipment | |
CN113596058A (en) | Malicious address processing method and device, computer equipment and storage medium | |
JP5976934B2 (en) | Electronics | |
KR20190128929A (en) | Security System and Method for Home Network Access |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: ALAXALA NETWORKS CORPORATION, JAPAN Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:NAGAO, KOYURU;UCHIZUMI, KEIGO;SIGNING DATES FROM 20181210 TO 20181214;REEL/FRAME:048008/0895 |
|
FEPP | Fee payment procedure |
Free format text: ENTITY STATUS SET TO UNDISCOUNTED (ORIGINAL EVENT CODE: BIG.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NON FINAL ACTION MAILED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NOTICE OF ALLOWANCE MAILED -- APPLICATION RECEIVED IN OFFICE OF PUBLICATIONS |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: PUBLICATIONS -- ISSUE FEE PAYMENT RECEIVED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: PUBLICATIONS -- ISSUE FEE PAYMENT VERIFIED |
|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: PUBLICATIONS -- ISSUE FEE PAYMENT VERIFIED |
|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |